You are here

Cyber Risk Legal update - March 2015

March 2015 Cyber Risk legal update

Information Security and Data Protection for Financial Services

On 2 March, I braved the snow, and crossed a picket line (PCS members working at the Information Commissioners Office chose the conference day to escalating their campaign of strike action for fair pay) to attend the annual ICO Conference in Manchester.

The conference provides an opportunity for data protection practitioners across the UK to raise questions, hear presentations on a range of topical issues, subscribe to relevant seminars and meet others engaged in similar roles across all sectors. The slides are available here for those of you who were not able to make it, herewith the interesting insights I gained from this year's conference:

Towards a New Regulation: In the eyes of the ICO, the new Data Protection Regulation has become a "when" rather than an "if". The UK government have given up on its campaign for the Regulation to be a Directive (requiring local implementation and therefore a degree of discretion). The prediction for the finalisation of the Regulation text is around March 2016. There will then be a 2 year implementation period;

Harmonised Security Guidance: The Government and the ICO will be working together over the coming months to produce a harmonised guide on IT security, combining the ICO's Practical Guide available here with the Government Cyber Essentials basic technical measures document available here;

Still Life in Safe Harbor: Despite the German offensive against Safe Harbor, David Smith Deputy Information Commissioner does not think the US Safe Harbor Scheme will be suspended any time soon. In fact, even in response to the European Parliament concerns about the failing in the self regulatory regime, David Smith sees no need for UK companies to be doing additional due diligence on safe harbor companies. Exporting companies should ensure due diligence and contractual clauses are in place to ensure adequate security but no additional due diligence is required just because of concerns about the scheme itself;

Name and Shame: The Complaints Resolution Team at the ICO have been renamed Performance Improvement. They are focussing on organisations who receive multiple complaints. Their aim is to start publishing the number of complaints against particular companies on their websites and the plans that companies have agreed to put in place to rectify these issues;

Stats and Breaches: The ICO has approximately 140 breaches notified to it each month, predominantly from the public sector;

Custodial Penalties: Christopher Graham's current bug bear is the length of time it is taking to get custodial penalties for breach of s.55 of the Data Protection Act onto the statute book.

Key Dates Calendar

10 March 2015

Enforced Subject Access requests to became unlawful

Financial service companies are advised to note the date on which enforced subject access requests are to be made unlawful and to take early action to ensure that enforced subject access requests are no longer requested.